Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Advisory: An integer underflow in untrusted 0.6.1 and older which could lead to panic #24

Merged
merged 1 commit into from
Jun 25, 2018

Conversation

oherrala
Copy link
Contributor

Ping @briansmith, the author and maintainer of untrusted who has seen this advisory before submission.

Short description:

A mistake in error handling in untrusted before 0.6.2 could lead to an integer underflow and panic if a user of the crate didn't properly check for errors returned by untrusted.

Combination of these two programming errors (one in untrusted and another by user of this crate) could lead to a panic and maybe a denial of service of affected software.

The error in untrusted is fixed in release 0.6.2 released 2018-06-21. It's also advisable that users of untrusted check for their sources for cases where errors returned by untrusted are not handled correctly.

@tarcieri tarcieri merged commit 0c1ba96 into rustsec:master Jun 25, 2018
tarcieri added a commit that referenced this pull request Jun 25, 2018
@tarcieri
Copy link
Member

Assigned RUSTSEC-2018-0001 in 3c0458d

@tarcieri tarcieri mentioned this pull request Jun 27, 2018
int08h added a commit to int08h/roughenough that referenced this pull request Jul 28, 2018
Update 'untrusted' 0.5 -> 0.6 to pull in security fix in 0.6.2.
rustsec/advisory-db#24

Also update 'ring' to 0.13 to be compatible with untrusted 0.6.

Fixes #6
@tarcieri tarcieri added advisory security advisory PRs denial of service attacker can crash/prevent access to service labels Aug 25, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
advisory security advisory PRs denial of service attacker can crash/prevent access to service
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants